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2003  REPORT  ON  COST  ESTIMATES  FOR  SECURITY  CLASSIFICATION 

ACTIVITIES 


The  security  classification  program  is  now  in  its  ninth  year  of  reporting  costs  for  both 
Government  and  industry.  Congress  first  requested  security  classification  cost 
estimates  from  the  executive  branch  in  1994.  In  addition,  the  Information  Security 
Oversight  Office  (ISOO)  is  tasked  through  Executive  Order  12958,  as  amended, 
“Classified  National  Security  Information,”  to  report  these  costs  to  the  President. 
Executive  Order  12829,  as  amended,  “National  Industrial  Security  Program,”  also 
requires  that  industry  or  contractor  costs  be  collected  and  reported  by  ISOO  to  the 
President. 

In  the  past,  the  costs  for  the  security  classification  program  were  deemed 
non-quantifiable,  intertwined  with  other  overhead  expenses.  While  many  of  the 
program’s  costs  remain  ambiguous,  ISOO  continues  to  collect  cost  estimate  data  and  to 
monitor  the  methodology  used  for  its  collection.  Requiring  agencies  to  provide  exact 
responses  to  the  cost  collection  efforts  would  be  cost  prohibitive.  Consequently,  ISOO 
relies  on  the  agencies  to  estimate  the  costs  of  the  security  classification  system.  The 
collection  methodology  has  remained  stable  over  the  past  nine  years  providing  a good 
indication  of  the  trends  in  total  cost. 

GOVERNMENT 


The  data  presented  in  this  report  were  collected  by  categories  based  on  common 
definitions  developed  by  an  executive  branch  working  group.  The  categories  are 
defined  below. 

Personnel  Security;  A series  of  interlocking  and  mutually  supporting  program 
elements  that  initially  establish  a Government  or  contractor  employee’s  eligibility,  and 
ensure  suitability  for  the  continued  access  to  classified  information. 

Physical  Security:  That  portion  of  security  concerned  with  physical  measures 
designed  to  safeguard  and  protect  classified  facilities  and  information,  domestic  or 
foreign. 

Information  Security:  Includes  three  subcategories: 

Ciassification  Management:  The  system  of  administrative  policies  and 
procedures  for  identifying,  controlling  and  protecting  classified  information  from 
unauthorized  disclosure,  the  protection  of  which  is  authorized  by  executive  order 
or  statute.  Classification  management  encompasses  those  resources  used  to 
identify,  control,  transfer,  transmit,  retrieve,  inventory,  archive,  or  destroy 
classified  information. 


Declassification:  The  authorized  change  in  the  status  of  information  from 
classified  information  to  unclassified  information.  It  encompasses  those 
resources  used  to  identify  and  process  information  subject  to  the  automatic, 
systematic  or  mandatory  review  programs  authorized  by  executive  order  or 
statute. 

information  Systems  Security  for  Ciassified  information:  An  information 
system  is  a set  of  information  resources  organized  for  the  collection,  storage, 
processing,  maintenance,  use,  sharing,  dissemination,  disposition,  display,  or 
transmission  of  information.  Security  of  these  systems  involves  the  protection  of 
information  systems  against  unauthorized  access  to  or  modification  of 
information,  whether  in  storage,  processing  or  transit,  and  against  the  denial  of 
service  to  authorized  users,  including  those  measures  necessary  to  detect, 
document,  and  counter  such  threats.  It  can  include,  but  is  not  limited  to,  the 
provision  of  all  security  features  needed  to  provide  an  accredited  system  of 
protection  for  computer  hardware  and  software,  and  classified  information, 
material,  or  processes  in  automated  systems. 

Professional  Education,  Training  and  Awareness:  The  establishment,  maintenance, 
direction,  support  and  assessment  of  a security  training  and  awareness  program;  the 
certification  and  approval  of  the  training  program;  the  development,  management,  and 
maintenance  of  training  records;  the  training  of  personnel  to  perform  tasks  associated 
with  their  duties;  and  qualification  and/or  certification  of  personnel  before  assignment  of 
security  responsibilities  related  to  classified  information. 

Security  Management  and  Planning:  Development  and  implementation  of  plans, 
procedures  and  actions  to  accomplish  policy  requirements,  develop  budget  and 
resource  requirements,  oversee  organizational  activities  and  respond  to  management 
requests  related  to  classified  information. 

Unique  Items:  Those  department  or  agency  specific  activities  that  are  not  reported  in 
any  of  the  primary  categories  but  are  nonetheless  significant  and  need  to  be  included. 

The  total  security  classification  costs  estimate  within  Government  for  FY  2003  is 
$6,531 ,005,615.  This  figure  represents  estimates  provided  by  41  executive  branch 
agencies,^  including  the  Department  of  Defense,  whose  estimate  incorporates  the 
National  Foreign  Intelligence  Program.  It  does  not  include,  however,  the  cost  estimates 
of  the  Central  Intelligence  Agency  (CIA),  which  that  agency  has  classified. 


^ Two  agencies,  the  Department  of  the  Treasury  and  the  National  Aeronautics  and  Space  Administration, 
submitted  cost  estimates  too  late  for  publication.  ISOO  substituted  last  year’s  data  for  those  two 
agencies.  Additionally,  the  Department  of  the  Interior  submitted  a corrected  cost  report  too  late  for 
publication.  ISOO  will  update  the  data  submitted  by  these  three  agencies  for  next  year’s  report  and 
analysis. 
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Because  of  expressed  interest  in  the  declassification  programs  established  under 
Executive  Order  1 2958,  as  amended,  ISOO  also  requested  agencies  to  identify  that 
portion  of  their  cost  estimates  in  the  category  of  information  security/classification 
management  that  was  attributable  to  their  declassification  programs.  The  cost  estimate 
from  one  agency  was  over  reported  by  approximately  $76  million  in  FY  2002,  including 
$65  million  for  declassification  costs.  ISOO’s  correction  of  this  over  reporting  reduces 
the  total  security  cost  for  FY  2002  to  $5,612,070,103. 

For  FY  2003,  the  agencies  reported  declassification  cost  estimates  of  $53,770,375,  or 
less  than  1 percent  of  their  total  cost  estimates.  This  figure  reflects  an  1 1 percent 
increase  from  FY  2002,  but  is  a 77  percent  decrease  from  the  cost  estimate  for 
declassification  in  FY  2001 . ISOO  is  very  concerned  about  this  number  because  it 
reflects  the  overall  trend  of  agencies  reducing  budgets  allocated  to  declassification, 
reflecting  a misperception  on  the  part  of  some  managers  that  automatic  declassification 
is  an  event  rather  than  a process  which  will  continue,  and  require  funding  for  the  very 
long  term. 


Government  Security  Classification  Costs  Estimate 
Fiscal  Year  2003 

Total 

Personnel  Security 
Physical  Security 
Information  Security 
Professional  Education  and  Training 
Security  Management  & Panning 
Unique 

0.0  0.5  1.0  1.5  2.0  2.5  3.0  3.5  4.0  4.5  5.0  5.5  6.0  6.5  7.0 

in  Billions  $ 


INDUSTRY 


A joint  Department  of  Defense  and  industry  group  developed  a cost  collection 
methodology  for  those  costs  associated  with  the  use  and  protection  of  classified 
information  within  industry.  Because  industry  accounts  for  its  costs  differently  than 
Government,  cost  estimate  data  are  not  provided  by  category.  Rather,  a sampling 
method  was  applied  that  included  volunteer  companies  from  four  different  categories  of 
facilities.  The  category  of  facility  is  based  on  the  complexity  of  security  requirements 
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that  a particular  company  must  meet  in  order  to  hold  a classified  contract  with  a 
Government  agency. 

The  2003  cost  estimate  totals  for  industry  pertain  to  the  twelve-month  accounting  period 
for  the  most  recently  completed  fiscal  year  of  each  company  that  was  part  of  the 
industry  sample.  For  most  of  the  companies  Included  In  the  sample,  December  31 , 
2003,  was  the  end  of  their  fiscal  year.  The  estimate  of  total  security  costs  for  2003 
within  industry  was  $1 ,01 1 ,524,000. 

The  Government  cost  estimate  shows  a 14  percent  increase  above  the  cost  estimate 
reported  for  FY  2002.  For  the  second  year  in  a row,  industry  reported  an  increase  in  its 
cost  estimate.  The  total  cost  estimate  for  Government  and  industry  for  2003  is 
$7.5  billion,  $1  billion  more  than  the  total  cost  estimate  for  Government  and  industry  in 
2002. 


Graph  Comparing  Cost  for  Government  and  Industry 
Fiscal  Year  1995  - 2003 


While  the  overall  trend  in  increasing  security  costs  goes  back  six  years,  there  appears 
to  be  a continuing  expansion  of  information  security  programs,  facilities  and  personnel 
as  the  Federal  executive  branch  continues  to  meet  the  requirements  identified  in  the 
aftermath  of  the  September  1 1 , 2001 , terrorist  attacks.  Many  agencies  are  reporting 
increased  costs  in  physical  security  related  to  facility  improvements,  such  as  operations 
centers,  continuity  of  operations  relocation  sites,  sensitive  compartmented  information 
facilities,  along  with  larger  guard  forces  to  keep  them  secure.  Others  are  estimating 
higher  costs  to  bring  programs  into  compliance  with  E.O.  12958,  as  amended.  Other 
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factors,  such  as  lessons-learned  from  recent  espionage  case,  have  led  to  security 
reforms  requiring  more  resources  devoted  to  personnel  security  investigations, 
information  technology  systems  security,  and  security  training  and  awareness. 

In  particular.  Physical  Security  cost  estimates  went  up  by  47  percent.  All  other 
categories  noted  increases:  Personnel  Security  (1%);  Professional  Education,  Training 
and  Awareness  (18%);  Security  Management,  Oversight  and  Planning  (16%);  Unique 
Items  (8%);  Information  Security/Classification  Management  (19%  );  and  Information 
Technology  (17%  ),  and  Declassification,  which  saw  an  1 1 percent  increase  over  the 
previous  year,  but  a 77  percent  decrease  from  FY  2001 . 

The  Executive  Agent  for  the  National  Industrial  Security  Program  (Department  of 
Defense)  samples  a larger  mix  of  small  and  large  companies,  which  appears  to  yield  the 
most  realistic  and  consistent  data  reported  to  date.  The  costs  have  increased  for  the 
second  year  in  a row,  in  large  part  due  to  contractor  support  to  the  war  on  terrorism  and 
the  war  in  Iraq  and  Afghanistan. 
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